简述DNS服务器原理,并搭建主-辅服务器。
- DNS服务器原理:
DNS也就是Domain Name Service的缩写,它的作用就是通过域名查找IP地址。DNS查询的类型对DNS于客户端来说是递归查询,对于DNS服务器端来说,绝大多数是迭代查询,在它的解析中,从名称到IP的查询叫做正向解析,而从IP到名称的查询叫做反向解析。如果DNS服务器至少解析了一个或一个以上的域叫做DNS主服务器或者DNS辅助服务器,如果不负责任何解析叫做DNS缓存服务器。现全球一共分布了13台DNS根服务器,名称为A至M。 - 域名解析过程:
客户访问时,查找自己的hosts文件,有则返回,无则查找DNS服务器。
DNS服务器查找中先从顶级域到二级域,分别获取他们的IP地址,然后最终获得域名的IP地址,找到服务器。 - DNS区域数据库文件:
资源记录(resource record 简称rr)的类型有以下几种:
SOA:起始授权记录,只能有一个,必须放在第一条
NS:域名服务记录,其中一个为主,可以有多个
A:IPV4地址记录
AAAA:IPV6地址记录
CNAME:别名记录
PTR:反向解析记录
MX:邮件交换器
搭建主-辅服务器
- 安装软件
[root@localhost ~]# yum -y install bind
[root@localhost ~]# yum -y install bind-utils
[root@localhost ~]# systemctl start named
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9952/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9952/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* - 配置环境:
[root@localhost ~]# cat /etc/resolv.conf
Generated by NetworkManager
nameserver 192.168.65.2
[root@localhost ~]# cat /etc/named.conf
options {
listen-on port 53 { 192.168.65.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
....
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 配置解析一个正向区域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111301
[root@localhost ~]# chgrp named /var/named/test.com.zone
[root@localhost ~]# chmod o= /var/named/test.com.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111301
OK
- DNS主服务器正向解析测试
[root@localhost ~]# dig -t -A www.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
.....
- 配置反向区域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "65.168.192.in-addr.arpa" IN {
type master;
file "192.168.65.zone";
};
[root@localhost ~]# cat /var/named/192.168.10.zone
$TTL 3600
$ORIGIN 65.168.192.in-addr.arpa.
@ IN SOA ns1.test.com. nsadmin.test.com. (
2018111301
[root@localhost ~]# chgrp named /var/named/192.168.65.zone
[root@localhost ~]# chmod o= /var/named/192.168.65.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone 65.168.192.in-addr.arpa /var/named/192.168.10.zone
zone 65.168.192.in-addr.arpa/IN: loaded serial 2018111301
OK
- 主服务器反向测试
[root@localhost ~]# dig -x 192.168.65.2
- 设置辅DNS服务器
[root@localhost ~]# yum -y install bind bind-utils
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# cat /etc/resolv.conf
Generated by NetworkManager
nameserver 192.168.65.3
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
file "slaves/test.com.zone";
masters { 192.168.65.2; };
};
- 在主服务器上添加内容
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
.....
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111309
OK
[root@localhost ~]# rndc reload
server reload successful
- 测试辅助服务器
[root@localhost slaves]# dig -t A www.test.com @192.168.65.3
....
- 辅助服务器反向解析IP
[root@localhost ~]# dig -x 192.168.65.2 @192.168.65.3
.....
至此,主辅DNS服务器搭建完成。
搭建并实现智能DNS。
以192.168.10.10为例搭建智能DNS
- 修改DNS的named.conf的配置文件
view internal {
match-clients { 192.168.10.10; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view external {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
}; - 建立两份数据文件
[root@localhost ~]# cat /var/named/test.com/internal
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111602
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 1.1.1.1
web IN CNAME www
bbs IN A 1.1.1.2
bbs IN A 1.1.1.3
[root@localhost ~]# cat /var/named/test.com/external
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111501
- 设置权限
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com/internal
zone test.com/IN: loaded serial 2018111602
OK
[root@localhost ~]# named-checkzone test.com /var/named/test.com/external
zone test.com/IN: loaded serial 2018111501
OK
[root@localhost ~]# chgrp named /var/named/test.com/{internal,external}
[root@localhost ~]# chmod o= /var/named/test.com/{internal,external}
[root@localhost ~]# rndc reload
server reload successful
- 解析内网IP
[root@localhost ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
.....
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
.....
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 15:19:01 CST 2018
;; MSG SIZE rcvd: 125
使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[root@localhost ~]#sudo iptables -I INPUT -p tcp -m multiport --dports 21,23,80,139,445 -j ACCEPT
[root@localhost ~]#sudo iptables -A INPUT -j REJECT
[root@localhost ~]#sudo iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
1740 741K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 82 packets, 6742 bytes)
pkts bytes target prot opt in out source destination
NAT原理总结
修改IP数据包中的源或目的IP地址,只要目的是把私有地址转换成互联网上可路由的共有合法地址。
iptables实现SNAT和DNAT,并对规则持久保存
实验环境:centos7.9
- 修改内核参数,实现数据转发功能
[root@Centos7 ~]# yum install iptables-services
[root@Centos7 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
- 实现SNAT和DNAT
SNAT
[root@Centos7 ~]# iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT --to-source 192.168.31.78
DNAT
[root@Centos7 ~]# iptables -t nat -A PREROUTING -d 192.168.31.78 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.12:80
- 规则持久保存
[root@Centos7 ~]# cp /etc/sysconfig/iptables{,.bak}
[root@Centos7 ~]# /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@Centos7 ~]# iptables-save > /etc/sysconfig/iptables
[root@Centos7 ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY